FreePBX: first steps on rake
Starting familiarity with FreePBX, even experienced system administrators often make the same mistakes that can seriously spoil the mood and discourage any desire to continue mastering this system.
First of all, of course, these are errors related to the safety of the station. Remember that connecting to the telephony operator you are fully financially responsible for the calls, even if in fact you did not make them! Let's see what needs to be done in the first place, and what absolutely cannot be done.
Immediately after installing the system, you must disable the ability to receive guest and anonymous calls, unless, of course, you are going to use them. Otherwise, you actually allow anyone to make calls through your station, which can lead to significant financial losses.
')
Despite the fact that FreePBX is constantly updated, and the developers make great efforts to ensure the security of the system, periodic vulnerabilities are discovered in the code, using which attackers can get, for example, access parameters to your telecom operators. Despite the fact that in this case calls will not come from your station, the operator will most likely require payment from you. Therefore, do not forget about the protection of the web interface: if the server is installed on your local network, do not forward port 80 to the outside - for remote configuration you can use a vpn, ssh tunnel or any other access method. If FreePBX is installed on a remote server or for some other reason has direct access to the network, you can limit the ability to connect via port 80 at the iptables level, and also use Basic Auth password protection as an additional security tool.
In case you installed FreePBX from the official image, you will need to edit the file.
At the very end, before the last line, add the following
Pay attention to the path to the .htpasswd file - you can specify any path to store it. Then you need to create an account. Go to the selected directory, run
and enter the password for the admin user. Do not forget to restart apache:
And check the result:
You should also contact your telecom operator and limit the ability to connect with your credentials by ip-address: in this case, even if the attackers get your username and password, you will not be able to use them.
Of course, we can not forget about the security of user accounts on your station. If possible (for example, all your users are on the local network), be sure to restrict the ability to connect to ip-addresses - even if a certain userβs password is compromised, the attackers from the outside will not be able to use it.
There are situations when it is not possible to restrict a user by ip - for example, an account is used from a mobile phone, from different 3g, 4g, and wifi networks. In this case, first of all, check the reliability of your passwords. Remember, even on a βemptyβ station, even for testing, you never need to set passwords like qwerty, because afterwards you can forget about such an account as easy as picking up such a password.
It is necessary to think about the search for passwords. Naturally, if your server serves clients from the same network and connects to one telecom operator, you can and should even limit the ability to connect to the sip port (usually 5060) for everyone except the known addresses of their networks and providers, for example, if you installed FreePBX manually
Or use the built-in web-interface Firewall if you installed the system from an official image. You can set trusted and external networks manually in the menu
And then determine which services will be opened in the tab.
But it is not always possible to leave only a few subnets for the sip-port. In this case, it is highly recommended to install fail2ban and configure it for use with asterisk. This daemon, based on the logs of authorization attempts, blocks too persistent for a certain time after a specified number of authorization attempts, which allows you to stop brute force. In the latest versions of fail2ban, the rules for asterisk are already included in the delivery, but it is recommended to check its operation - perform several registration attempts with a deliberately wrong login and password (only not necessarily from the same ip address from which you connect to the server!) And check that will this address be blocked by command
In the official assembly of FreePBX, the password brute force protection system is already installed and configured. Blocked addresses can be found in the tab.
Very often, especially in small organizations, when only one provider is used, system administrators do not pay attention to setting up outgoing routes correctly, limited to the X template, thus allowing all users to call any phone number. Even if you completely exclude the possibility of making calls by intruders, we must not forget that the user may simply make a mistake and call somewhere in the Dominican Republic, so it is necessary to restrict outgoing calls. Usually it is enough to add templates for calling city and mobile phone numbers; for the RF, the route might look like this:
Here we ask that the number should be 11-digit, start from 8, and the second digit should be 3,4,8 or 9, which completely covers all Russian numbers, and also we allow only 100-199 numbers to call through this route. If an employee needs to open international calls, you should add an additional route for him before the main one, and it is necessary to indicate his number or number pattern in the CID field, if there are several such employees.
Also, you should always specify the number of simultaneous outgoing calls in the trunk settings, especially if they are not limited on the operatorβs side (10 employees cannot make 100 outgoing calls), but in the case of unauthorized calls, hackers try to call to the maximum number of streams .
The next common mistake is to create a queue of calls with no time limit and without the condition βleave an empty queueβ. Such an action is especially dangerous if you use the 8-800 number with payment for incoming calls - a certain department can remain without communication (the switch hangs, the light goes out, the rats have eaten a twisted pair), and incoming calls for it will continue to arrive in the queue, and especially persistent Callers can wait on the line for hours.
Trouble may also arise if you do not use 8-800, but the service provider limits the number of simultaneous incoming calls, or uses copper lines or a stream. In this case, the channel resource will be spent simply on playing music to callers, and as a result, a situation may arise when all your incoming channels are busy waiting in an empty queue. That is why you should always limit the waiting time in the queue and prevent calls to empty queues.
Voice greetings and voice menus are certainly useful and necessary functions used by almost every organization that has decided to switch to FreePBX, but errors are often made when setting them up. Firstly, the Greeting module, that is, just playing a voice clip that cannot be missed (or you can skip by pressing a key, which you usually forget to notify the user), should be used only when there is an urgent need for it. I have seen how a one minute-long video clip is placed in the Welcome, and only after it follows the IVR with a proposal to choose the necessary department. When a customer calls for the first time, this is perceived as normal, but when he calls back the fifth time in an hour, and for the fifth time in a row he listens about how the company is happy with his call, he begins to doubt it. The client already knows that he needs to press button 2 and switch to the necessary department, but he is forced to listen to the entire greeting once and again. Maximize the use of Greetings, use IVR and allow direct dialing - this will reduce the client's waiting time and not annoy him.
Even when creating the Interactive IVR menu, it is often forgotten to change the default settings regarding the wrong dialing - when you press a key that is not described in the rules, the movie is repeated several times. This behavior is appropriate only if the choice must be made necessarily (an extremely rare case), and completely inappropriate in the first, welcome voice menu. Turn off the repetition of the voice menu and transfer the call to the default assignment: to the secretary, to the manager's queue, and so on. The same applies to the set timeout.
If you are not sure that these and other errors are excluded on your FreePBX, and you want to feel safe, contact us , and professionals with many years of experience in the field of ip-telephony will audit the system and correct all mistakes made.
First of all, of course, these are errors related to the safety of the station. Remember that connecting to the telephony operator you are fully financially responsible for the calls, even if in fact you did not make them! Let's see what needs to be done in the first place, and what absolutely cannot be done.
Immediately after installing the system, you must disable the ability to receive guest and anonymous calls, unless, of course, you are going to use them. Otherwise, you actually allow anyone to make calls through your station, which can lead to significant financial losses.
')
Settings β Asterisk Settings for SIP β General SIP Settings
Settings β Asterisk Settings for SIP β SIP Channel Settings
Despite the fact that FreePBX is constantly updated, and the developers make great efforts to ensure the security of the system, periodic vulnerabilities are discovered in the code, using which attackers can get, for example, access parameters to your telecom operators. Despite the fact that in this case calls will not come from your station, the operator will most likely require payment from you. Therefore, do not forget about the protection of the web interface: if the server is installed on your local network, do not forward port 80 to the outside - for remote configuration you can use a vpn, ssh tunnel or any other access method. If FreePBX is installed on a remote server or for some other reason has direct access to the network, you can limit the ability to connect via port 80 at the iptables level, and also use Basic Auth password protection as an additional security tool.
In case you installed FreePBX from the official image, you will need to edit the file.
/etc/httpd/conf.d/freepbx.conf At the very end, before the last line, add the following
AuthType Basic AuthName "Administrative zone" AuthUserFile /.htpasswd Require valid-user Pay attention to the path to the .htpasswd file - you can specify any path to store it. Then you need to create an account. Go to the selected directory, run
htpasswd -c .htpasswd admin and enter the password for the admin user. Do not forget to restart apache:
service httpd reload And check the result:
You should also contact your telecom operator and limit the ability to connect with your credentials by ip-address: in this case, even if the attackers get your username and password, you will not be able to use them.
Of course, we can not forget about the security of user accounts on your station. If possible (for example, all your users are on the local network), be sure to restrict the ability to connect to ip-addresses - even if a certain userβs password is compromised, the attackers from the outside will not be able to use it.
Applications β Extension β Extension β Extended
There are situations when it is not possible to restrict a user by ip - for example, an account is used from a mobile phone, from different 3g, 4g, and wifi networks. In this case, first of all, check the reliability of your passwords. Remember, even on a βemptyβ station, even for testing, you never need to set passwords like qwerty, because afterwards you can forget about such an account as easy as picking up such a password.
Applications β Extension β Extension β General
It is necessary to think about the search for passwords. Naturally, if your server serves clients from the same network and connects to one telecom operator, you can and should even limit the ability to connect to the sip port (usually 5060) for everyone except the known addresses of their networks and providers, for example, if you installed FreePBX manually
-A INPUT -s xxx.xxx.xxx.xxx/32 -p udp -m udp --dport 5060 -j ACCEPT -A INPUT -s yyy.yyy.yyy.yyy/32 -p udp -m udp --dport 5060 -j ACCEPT -A INPUT -p udp -m udp --dport 5060 -j DROP Or use the built-in web-interface Firewall if you installed the system from an official image. You can set trusted and external networks manually in the menu
Connections β Firewall β Zones β Network
And then determine which services will be opened in the tab.
Connections β Firewall β Services
But it is not always possible to leave only a few subnets for the sip-port. In this case, it is highly recommended to install fail2ban and configure it for use with asterisk. This daemon, based on the logs of authorization attempts, blocks too persistent for a certain time after a specified number of authorization attempts, which allows you to stop brute force. In the latest versions of fail2ban, the rules for asterisk are already included in the delivery, but it is recommended to check its operation - perform several registration attempts with a deliberately wrong login and password (only not necessarily from the same ip address from which you connect to the server!) And check that will this address be blocked by command
iptables -L In the official assembly of FreePBX, the password brute force protection system is already installed and configured. Blocked addresses can be found in the tab.
Connections β Firewall β Status
Very often, especially in small organizations, when only one provider is used, system administrators do not pay attention to setting up outgoing routes correctly, limited to the X template, thus allowing all users to call any phone number. Even if you completely exclude the possibility of making calls by intruders, we must not forget that the user may simply make a mistake and call somewhere in the Dominican Republic, so it is necessary to restrict outgoing calls. Usually it is enough to add templates for calling city and mobile phone numbers; for the RF, the route might look like this:
Connections β Outbound Routing β Route β Dialing Rules
Here we ask that the number should be 11-digit, start from 8, and the second digit should be 3,4,8 or 9, which completely covers all Russian numbers, and also we allow only 100-199 numbers to call through this route. If an employee needs to open international calls, you should add an additional route for him before the main one, and it is necessary to indicate his number or number pattern in the CID field, if there are several such employees.
Also, you should always specify the number of simultaneous outgoing calls in the trunk settings, especially if they are not limited on the operatorβs side (10 employees cannot make 100 outgoing calls), but in the case of unauthorized calls, hackers try to call to the maximum number of streams .
Connections β Trunks β Trunk Settings β General
The next common mistake is to create a queue of calls with no time limit and without the condition βleave an empty queueβ. Such an action is especially dangerous if you use the 8-800 number with payment for incoming calls - a certain department can remain without communication (the switch hangs, the light goes out, the rats have eaten a twisted pair), and incoming calls for it will continue to arrive in the queue, and especially persistent Callers can wait on the line for hours.
Trouble may also arise if you do not use 8-800, but the service provider limits the number of simultaneous incoming calls, or uses copper lines or a stream. In this case, the channel resource will be spent simply on playing music to callers, and as a result, a situation may arise when all your incoming channels are busy waiting in an empty queue. That is why you should always limit the waiting time in the queue and prevent calls to empty queues.
Applications β Queues β Queue Settings β Time and Agent Settings
Applications β Queues β Queue Settings β Queue Capacity Settings
Voice greetings and voice menus are certainly useful and necessary functions used by almost every organization that has decided to switch to FreePBX, but errors are often made when setting them up. Firstly, the Greeting module, that is, just playing a voice clip that cannot be missed (or you can skip by pressing a key, which you usually forget to notify the user), should be used only when there is an urgent need for it. I have seen how a one minute-long video clip is placed in the Welcome, and only after it follows the IVR with a proposal to choose the necessary department. When a customer calls for the first time, this is perceived as normal, but when he calls back the fifth time in an hour, and for the fifth time in a row he listens about how the company is happy with his call, he begins to doubt it. The client already knows that he needs to press button 2 and switch to the necessary department, but he is forced to listen to the entire greeting once and again. Maximize the use of Greetings, use IVR and allow direct dialing - this will reduce the client's waiting time and not annoy him.
Even when creating the Interactive IVR menu, it is often forgotten to change the default settings regarding the wrong dialing - when you press a key that is not described in the rules, the movie is repeated several times. This behavior is appropriate only if the choice must be made necessarily (an extremely rare case), and completely inappropriate in the first, welcome voice menu. Turn off the repetition of the voice menu and transfer the call to the default assignment: to the secretary, to the manager's queue, and so on. The same applies to the set timeout.
Applications β Interactive Menu (IVR) β IVR Settings
If you are not sure that these and other errors are excluded on your FreePBX, and you want to feel safe, contact us , and professionals with many years of experience in the field of ip-telephony will audit the system and correct all mistakes made.
Source: https://habr.com/ru/post/313078/
All Articles